The fact that social-media giants like Facebook are continuing to leak passwords and private data has long been a reminder that CISOs should be building long-term plans to transition away from decades of reliance on password-based security – but a growing base of passwordless-security tools is finally making the move possible.
Consideration of the passwordless future is being fuelled by a rise in adoption of cloud-based software-as-a-service (SaaS) applications and services; Australia is setting the pace, with adoption of SaaS environments set to quintuple this year and some 69 percent of survey respondents – up from 50 percent last year – saying they are storing sensitive data in cloud-based systems.
This fundamental shift in data architecture is creating problems for organisations that still rely on passwords, which have proven to be highly susceptible to being mismanaged, exfiltrated en masse, and used by cybercriminals for credential-stuffing attacks that can have serious consequences.
Those cybercriminals have massive volumes of data to work with: while some reports suggest users are at least trying to get better at managing passwords, the general availability of more than 1.4 billion plaintext passwords spelled problems even before Facebook was found to have stored hundreds of millions of user passwords on internal systems in plaintext.
These and other passwords were likely to end up for sale on dark web markets and posed an immediate risk for businesses from potential credential stuffing attacks. A recent breach of 620m accounts – stolen from the likes of Dubsmash, Whitepages, 500px and more – had added fuel to the fire, Bitglass chief technology officer Anurag Kahol warned.
"When individuals create user accounts on websites, they should be able to trust that their personal information will be kept safe,” he said. “Leaked credentials leave people vulnerable to account hijacking across all services where they recycle their usernames and passwords.
"Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless password habits. As such, organisations must simultaneously defend their data against leakage and authenticate their users to ensure that they are who they say they are.”
Calling time on the password
The massive and worsening abuse of stolen credentials is driving a step change in the way CISOs deal with password threats. Indeed, fully 85 percent of CISOs are interested in replacing passwords with new authentication models, according to the recent Oracle-KPMG Cloud Threat Report.
Confusion over the ability to manage credentials for cloud-based services had seen some 90 percent of CISOs saying they’re not sure of their role in securing usually password-based SaaS environments. Many are working to change that role by implementing authentication options other than passwords.
The FIDO Alliance’s recent approval of the WebAuthn specification for passwordless logins was likely to accelerate this push, with FIDO Alliance executive director Brett McDowell calling the decision “an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web”.
Increasingly intelligent software-defined networks will also play a role in the move away from passwords, facilitating automation of user-access policies by correlating a range of factors with analytics based on continuous analysis of user behaviour.
ManageEngine, for one, recently added user and entity behaviour analytics (UEBA) capabilities into its Log360 SIEM platform, while Fortinet this month ushered in what it’s calling the ‘third generation of cybersecurity’ by bulking out its fabric-based platform with features including AI-driven UEBA.